vidar | 43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1 | Triage

Analysis

max time kernel
119s
max time network
121s
platform
windows10_x64
resource
win10-en-20210920
submitted
11-10-2021 11:20

Sharing

Report Analysis Logs

General

Target

43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe
Size

770KB
MD5

1ca9583e6f4524151c23b0baa273d9ff
SHA1

ad39613a3e42aa165931dda8b9c3832e2e7184c8
SHA256

43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1
SHA512

ed762bfbd39dfc5110389818c3f99ca753072f11d8fef749e848f5cc9535fa010ba6eb9b788b5b358241e8ef7b1b77bbfb8ada10b5c83771bd7a9cc03199c1ba

Score

10^/10

vidar 1008 stealer

Malware Config

Extracted

Family

vidar

Version

41.2

Botnet

1008

C2

https://mas.to/@serg4325

Attributes

profile_id
1008

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4352 created 3556 4352 WerFault.exe 43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3556-117-0x0000000000400000-0x0000000001735000-memory.dmp	family_vidar
behavioral1/memory/3556-116-0x0000000003380000-0x0000000003456000-memory.dmp	family_vidar

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4352 3556 WerFault.exe 43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4352 WerFault.exe
Token: SeBackupPrivilege 4352 WerFault.exe
Token: SeDebugPrivilege 4352 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe
"C:\Users\Admin\AppData\Local\Temp\43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe"
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 940
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3556-115-0x00000000019F6000-0x0000000001A72000-memory.dmp

Filesize
496KB

Download
memory/3556-117-0x0000000000400000-0x0000000001735000-memory.dmp

Filesize
19.2MB

Download
memory/3556-116-0x0000000003380000-0x0000000003456000-memory.dmp

Filesize
856KB

Download